Skip to content

Commit

Permalink
Merge pull request #111 from romainneutron/allow-from
Browse files Browse the repository at this point in the history 
Fix ALLOW-FROM implementation
  • Loading branch information
@romainneutron
romainneutron committed Aug 23, 2016
2 parents e8977f2 + 84e6498 commit b84e1d1
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 6 deletions.
5 changes: 4 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
### 2.0.2 (2016-xx-xx)
* Fix typo in the ALLOW-FROM implementation

### 2.0.1 (2016-06-04)
* Fix CookieSessionHandler::open that should return true unless there's an error

Expand Down Expand Up @@ -46,7 +49,7 @@
### 1.5.0 (2015-01-01)

* Added ability to have different configs for both reported and enforced CSP rules
* Added support for ALLOW and ALLOW FROM syntaxes in the Clickjacking Protection
* Added support for ALLOW and ALLOW-FROM syntaxes in the Clickjacking Protection
* Added support for HHVM and PHP 5.6
* Fixed enabling of cookie signing when the cookie list is empty

Expand Down
6 changes: 3 additions & 3 deletions DependencyInjection/Configuration.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ public function getConfigTreeBuilder()
$v = array('header' => $v ?: 'DENY');
}
if (isset($v['header'])) {
$v['header'] = preg_replace_callback('{^(?:ALLOW|DENY|SAMEORIGIN)(?: FROM)?}i', function ($m) { return strtoupper($m[0]); }, $v['header']);
$v['header'] = preg_replace_callback('{^(?:ALLOW|DENY|SAMEORIGIN|ALLOW-FROM)?}i', function ($m) { return strtoupper($m[0]); }, $v['header']);
}

return $v;
Expand All @@ -76,9 +76,9 @@ public function getConfigTreeBuilder()
->validate()
->ifTrue(function ($v) {
return isset($v['header']) && !in_array($v['header'], array('DENY', 'SAMEORIGIN', 'ALLOW'), true)
&& !preg_match('{^ALLOW FROM \S+}', $v['header']);
&& !preg_match('{^ALLOW-FROM \S+}', $v['header']);
})
->thenInvalid('Possible header values are DENY, SAMEORIGIN, ALLOW and ALLOW FROM [url], got: %s')
->thenInvalid('Possible header values are DENY, SAMEORIGIN, ALLOW and ALLOW-FROM [url], got: %s')
->end()
->children()
->scalarNode('header')->defaultValue('DENY')->end()
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,7 @@ supports the `ALLOW` option which skips the creation of the header for the match
want to whitelist a few URLs and then DENY everything else.

One more option, as of yet [not well supported](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options),
is to use `ALLOW FROM uri` where `uri` can be any origin URL, from
is to use `ALLOW-FROM uri` where `uri` can be any origin URL, from
`example.org` to `https://example.org:123/sub/path`. This lets you specify
exactly which domain can embed your site, in case you have a multi-domain setup.

Expand All @@ -410,7 +410,7 @@ nelmio_security:
clickjacking:
paths:
'^/iframes/': ALLOW
'^/business/': 'ALLOW FROM https://biz.example.org'
'^/business/': 'ALLOW-FROM https://biz.example.org'
'^/local/': SAMEORIGIN
'^/.*': DENY
content_types: []
Expand Down
2 changes: 2 additions & 0 deletions Tests/Listener/ClickjackingListenerTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ protected function setUp()
$this->listener = new ClickjackingListener(array(
'^/frames/' => array('header' => 'ALLOW'),
'/frames/' => array('header' => 'SAMEORIGIN'),
'/this/allow' => array('header' => 'ALLOW-FROM http://biz.domain.com'),
'^/.*' => array('header' => 'DENY'),
'.*' => array('header' => 'ALLOW'),
));
Expand All @@ -49,6 +50,7 @@ public function provideClickjackingMatches()
array('/', 'DENY'),
array('/test', 'DENY'),
array('/frames/foo', null),
array('/this/allow', 'ALLOW-FROM http://biz.domain.com'),
array('/sub/frames/foo', 'SAMEORIGIN'),
);
}
Expand Down

0 comments on commit b84e1d1

Please sign in to comment.